The Spamhaus Project

Don't Route Or Peer Lists (DROP)

About the Data

Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge.

Policy Statement

The Spamhaus DROP lists consist of netblocks that are leased or stolen by professional spam or cyber-crime operations, and used for dissemination of malware, trojan downloaders, botnet controllers, or other kinds of malicious activity.

The DROP lists are a subset of the Spamhaus Blocklist (SBL), designed for a total protection from all the activity involving the listed networks over all the Internet protocols. This also specifically includes traffic directed to these networks, such as access to web sites hosted there. The DROP lists are also designed for use by Tier-1 and backbone providers in firewalls and routing equipment to filter out the malicious traffic from listed netblocks.

Networks are inserted in the DROP lists only after dedicated investigators and forensics specialists have gathered evidence that they are controlled by cybercrime groups or by "bulletproof" hosters that either ignore abuse reports or, more frequently, move abusive customers to different IPs to evade targeted listings. With IPv4 depletion, assignments of netblocks to customers are now typically done by IPv4 brokers and are much more dynamic than in the past. Furthermore, ASNs are rotated very rapidly together with company names by malicious actors. For these reasons, the DROP lists change on a daily basis tracking the continuous and relentless movement of rogue networks trying to avoid detection.

Benefits of this data

Protect from activity directly originating from rogue networks, such as spam campaigns, encryption via ransomware, DNS-hijacking and exploit attempts, authentication attacks to discover working access credentials, harvesting, DDoS attacks. Also, gain automatic protection to immediately stop infected devices from communicating with adversaries with "bulletproof hosting" on listed networks. Users are often unaware of these background communications, so this infrastructure-level protection should be an important part of your overall security stack.

IP address space under the control of any legitimate network will never be listed, and false positives are extremely low, given the high confidence nature of this dataset.

How it works

There are five DROP lists, all of which are available for free. Provided in text and JSON formats, these datasets can be parsed out to implement on nearly any kind of device or software that is capable of processing IP networks for making a decision e.g., Network gateways, Firewalls, Web-proxies, DNS resolvers etc.

The DROP lists available are:

DROP (.txt) and DROPv6 (.txt) - IPv4 and IPv6 netblocks, respectively, that are "hijacked" or leased by professional spam, cyber-crime operations, or bulletproof hosters, directly allocated by an established Regional Internet Registry (RIR) or National Internet Registry (NIR).

**eDROP (.txt) - extended DROP lists that respectively contain IPv4 netblocks that are controlled by spammers, cyber criminals or bulletproof hosters. These should be used in conjuntion with the above datasets.

N.B. From April 10th 2024, eDROP data will be incorporated into DROP, and eDROPv6 will be available in DROPv6. This means the extended DROP lists will no longer be published, so please ensure your configuration is updated from this point.

DROP-ASN (.json) - Autonomous System Numbers (ASNs) controlled by spammers, cyber criminals, or bulletproof hosters, as well as "hijacked" ASNs. Access the JSON here: https://www.spamhaus.org/drop/asndrop.json

Accessing this data, for free

Spamhaus believes that due to the vital nature of the DROP list data, it should be available at no cost, regardless of size or business type, to protect internet users. We do ask, when used in a product, credit must be given to Spamhaus Project, and the date and © text should remain with the file and data.

For a more commercially-focused solution, which also includes communities listing compromised and dedicated botnet command and controller (C&Cs), we make data available via our partner Spamhaus Technology. Find out more about BGP Firewall.

Removal

Ranges in DROP are connected to the corresponding Spamhaus Blocklist (SBL) record mentioned in the DROP files. Once the SBL record is removed, the ranges will automatically leave DROP also. Visit the SBL page for more information on removals.

FAQs

Other Blocklists Available From Spamhaus

CSS

Combined Spam Sources

Learn more

DBL

Domain Blocklist

Learn more

XBL

Exploits Blocklist

Learn more

PBL

Policy Blocklist

Learn more

SBL

Spamhaus Blocklist

Learn more

ZEN

PBL, SBL & XBL combines

Learn more